Slashdot Mirror

← Back to Stories (view on slashdot.org)

Possible RSS Abuse in Longhorn

Posted by Zonk on from the really-sleazy-stuff dept.

dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."

9 of 214 comments (clear)

  1. Worse than worms?!? by zerocool^ · · Score: 4, Insightful


    Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?

    ~Will

    --
    sig?
  2. OS X by m0rph3us0 · · Score: 5, Insightful

    I guess OS X must be REALLY insecure then.

    There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.

  3. Move along...no news here by mrhandstand · · Score: 4, Insightful
    So what we are being told it that downloading something from a potentially untructed source and then running that data casn lead to bad things? Oh My!

    When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.

    --
    Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
  4. Blah! We don't have to worry... by slapout · · Score: 5, Funny

    ...cause Longhorn is going to be built on secure .Net technology......oh wait....nevermind. :-)

    --
    Coder's Stone: The programming language quick ref for iPad
  5. Is somebody hungry? by B5_geek · · Score: 4, Funny

    ...decision to bake RSS into Longhorn... ...on the back burner.

    No wonder MS says they can't remove things like IE from the operating system; They cook it all together!!!

    --
    "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
  6. The perfect slashdot article by gowen · · Score: 5, Insightful
    vulnerabilities in iPod codec, then podcasting is a good way to deliver overflow inducing content.
    Only on slashdot can people find a way to blame (putative) Apple vulnerabilities on Microsoft.
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  7. Easier way by Anonymous Coward · · Score: 4, Funny

    Can't MS just develop a specific API for people trying compromise windows machines, it would be less work for everyone.

  8. MS vs Apple by Anonymous Coward · · Score: 4, Interesting

    I'm far from an MS fan, doing all of my work for the last few years on Linux, and being currently in the process of moving to OS X. But I have to ask, why is /. reporting a possible vulnerability in an unreleased OS, whereas a serious flaw in the design of OS X (here, today, right now) has not been talked about at all.

  9. Re:Perhaps this is _why_ msft is interested. by dioscaido · · Score: 4, Informative

    Insightful, except for the fact that I'm a developer on Longhorn, and I have to spend endless hours pouring through my designs with security groups within Microsoft. And once my component is ready, the source is shipped to the security group for one final run through for vulnerabilities.

    While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority. We're actually seeing for the first time security concerns trumping 'user friendliness', which is great. Anyway, we have too many eyes from different groups going through oru designs and actual code for people to make such shady business decisions.